Back to skill

Security audit

Language Coach

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward language-correction skill with no executable code, permissions, credential access, network behavior, or persistence.

This skill is reasonable to install for grammar and language review. Be aware that the optional natural-language triggers may make it activate outside the explicit slash commands, and avoid submitting sensitive text unless you are comfortable having the agent process it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill defines alternative triggers like "check my [language]:" and "review this [language]:" in addition to explicit slash commands, which can overlap with ordinary user conversation and cause unintended activation. This can lead to unsolicited text processing, unexpected behavior changes, and make the skill easier to invoke through prompt-injection-style phrasing embedded in normal chat.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.